I use a reverse proxy (caddy), and point a domain at my machine.ts-domain.ts.net which hosts caddy
this way I can go to service.my.domain instead of machine:port as long as I’m connected to tailscale. any devices not on my tailscale network just get bounced if they hit the domain
Basically yeah.
CNAME points my.domain to *.machine-that-hosts-caddy.my-ts-domain.ts.net
caddy running on that machine directs subdomains to machine:port pairs, where “machine” is either the tailscale name or IP for the machine hosting the service